Eclipse helps overcome development challenges in modern safety-critical IMA systems

Integrated Modular Avionics (IMA) platforms enable developers to integrate multiple discrete applications of different safety-criticality levels as defined by DO-178B onto a single processor through the use of time and space partitioning as defined by ARINC 653. This presents many unique challenges throughout the development cycle that must be addressed in order to successfully and cost effectively complete the project; these issues include the ability to transition the environment during development, integrate multiple vendors, support multiple connection methods, and ensure a partition-safe environment. These challenges occur in various phases of the development cycle, but they can be overcome by using both hardware- and software-based tools utilizing a common Integrated Development Environment (IDE) based on the open source Eclipse framework.

While IMA systems solve a number of operational and environmental problems for aircraft manufacturers, they present a number of challenges that span the entire development cycle. The typical development cycle for an IMA project will usually involve the development activities and roles defined in Integrated Modular Avionics (IMA) Development Guidance and Certification Considerations (RTCA DO-297), as shown in Table 1.

21
Table 1
(Click graphic to zoom by 1.7x)

Individuals or teams will execute the specific roles to perform the development, debug, and testing steps as described in DO-297. Each role has its own unique needs for debugging, analyzing, and testing, which lead to a number of challenges throughout the development cycle. These challenges include the ability to:

  1. Transition from each phase of development in a cohesive manner
  2. Integrate multiple vendors' tools into an IDE framework in order to provide the necessary configuration management and testing tools required by DO-178B
  3. Support multiple connection methods to target hardware to reduce costs and enhance flexibility
  4. Ensure a partitioning-safe environment to support integration and DO-178B test for credit

To overcome these challenges and support development roles with such divergent needs and requirements, the use of a common tool and development environment is key to making developers productive and successful. The Eclipse open source framework is a key element in this environment.

Ability to transition environment during development

In the past, developers of single-application avionics LRUs typically followed a development cycle similar in progression to that of an IMA platform. These platforms were then certified to a single DO-178B safety level. The initial hardware bring up, checkout, and testing were performed by the hardware engineering team and would usually employ hardware-assisted tools such as a JTAG-based In Circuit Emulator (ICE) or probe. These tools sometimes leave something to be desired once OS and driver bring up commence and eventually flow into application development and debug. This is even further exacerbated in a partitioned environment where some hardware-based tools do not provide full partition awareness, effectively eliminating their usefulness in the application realm. This lack of awareness will add costs in both time and effort that could amount to as much as 20 percent of the overall project schedule based on experience, because without the base hardware and OS platform, applications developers cannot proceed with their work.

The solution to this is a debugging IDE that covers this entire range of development phases through the use of hardware-based tools using a fully partitioned OS debugging connection that has ARINC 653 awareness to allow full visibility into the system. A primary candidate is the Eclipse open-source framework coupled with JTAG-based debugging features for IMA systems. This provides a common "development cockpit" for all engineers involved in the project and reduces training and deployment costs as well as reducing time to productivity.

While these reductions in time may only be 5 to 10 percent, this will produce a large return on investment in the later phases of the project since delays in later phases tends to be much more costly in time and overall costs. This is largely because issues found in this phase tend to be extremely difficult to resolve without major design impacts and retesting effort. Additionally, having an IDE that can make use of different connection methodologies further extends the usability of the tool. This leverages the best of the Eclipse open-source framework while allowing vendors to provide their own value-add tools to the environment

Ability to integrate multiple vendors

As shown in Figure 1, the number of tools used in avionics development, debug, and test can be considerable. These tools are required in order to meet the requirements set in DO-178B and cannot be ignored if the project is destined to achieve some level of DO-178B safety certification. In the recent past, multiple vendors would typically supply these tools, each with their own IDE or command line interface that may or may not integrate with the other tools used in the development and test cycle, including configuration management, requirements management, and code generation. This incompatibility can lead to significant cost and churn since developers must learn multiple IDEs and are unable to leverage any commonality between the tools, their interfaces, and operation. These costs could be upwards of 15 percent of the overall project budget.

21
Figure 1
(Click graphic to zoom by 2.0x)

By employing an open-source framework like Eclipse's, multiple vendors can integrate their tools into a common IDE as plug-ins. Eclipse takes advantage of this approach and allows a high level of integration with a large number of tools supplied by many vendors. Figure 2 shows the large number of tools available and where in the development cycle they would normally be employed. Vendors who employ Eclipse and give the option of installing the entire framework plus plug-ins or installation of the plug-ins into an existing Eclipse framework offer flexibility for those who manage the development environment companywide.

22
Figure 2
(Click graphic to zoom by 2.0x)

Ability to support multiple connection methods

Past projects and their development environments typically did not provide any significant capability to choose how to connect to the target system in order to debug, test, and validate applications and system operation. The connection was typically limited to the available hardware port on the board; in a large number of cases, this was a JTAG connection.

While JTAG offers significant capabilities for hardware test, low-level driver development, and test for credit capability, it sometimes leaves application developers lacking visibility into their applications due to the variety of programming languages and complexities of the code, especially as imposed by ARINC 653 time and space partitioning. Without this visibility, application developers may spend additional time trying to isolate specific application issues and bugs, delaying their ability to integrate their application into the full system. These delays tend to stack up and eventually delay project completion.

The ability to exploit a target resident agent that operates in a time- and space-partition safe manner as an alternative to JTAG while still using the same IDE is the "best of all worlds" for the application developer and the development and test teams. The Eclipse framework serves as that common IDE while exploiting this extensible framework capability by supporting connections raging from JTAG, serial, and Ethernet as well as any number of custom connection plug-ins from vendors.

By having full ARINC 653 partition awareness as well as multiple operation modes, these connection methodologies permit the development and debug of single partition-based applications through full system integration employing multiple application partitions. This saves developers multiple hours of setting up debugging scenarios. This savings in time reduces costs since developers are isolating and fixing bugs rather than fighting with the tools.

Ensuring a partition-safe environment

One challenge unique to the IMA environment is the notion of partition-safe debug and test. ARINC 653 specifies that the OS provides robust time and space partitioning; however, this can be disturbed by intrusive development and test tools, thereby limiting the usefulness and violating the constraints applied for the DO-178B test for credit.

In the past, JTAG was not intrusive to the developer or tester since it operated at the hardware level and typically was used only to start and stop test scenarios; it would then extract the data for examination on a host IDE. Also without partitioning, the avionics system typically hosted a single application; so stopping the processor effectively halted all activity with the exception of external signals. As mentioned previously, it is highly desirable to leverage a common IDE for these activities while preserving partitioning both in time and space.

Wind River's Eclipse-based Workbench includes JTAG tools and provides this environment, along with an industry unique capability: a target agent that is completely OS and ARINC 653 aware, partition safe, and usable in the test for credit environment since it is a DO-178B qualified verification tool. The Agent for the Certified Environment (ACE) is a tool that runs on the deployed hardware platform and employs a communications method that interacts with the DO-178B qualified host-based tool to allow for partition-safe debug and OS data extraction using the certifiable system image on the target and qualified host tools. The agent is not part of the deployed binaries for the platform and is only loaded when external conditions such as "weight on wheels" are satisfied, or when a discrete signal indicates the platform is in test mode. This permits testing of the exact binaries that are eventually certified and deployed without contaminating them with test code, which is not permitted in DO-178B certified systems.

These qualified tools allow for interaction and extraction of data from a target system. This capability is unique in the industry and provides users with flexibility and productivity in the development of certified (flight) system environments. This methodology coupled with JTAG and other connectivity technologies has already been used in aircraft certification projects. It is currently being used in test and integration of the Boeing 787 Common Core System running Wind River's VxWorks 653 operating system.

IMA is complex, but development shouldn't be

As one can see, an IMA provider faces many challenges. These challenges include the ability to transition the environment during development, integrate multiple vendors, support multiple connection methods, and ensure a partition-safe environment.

These challenges are compounded by the fact that many tools are required to complete the development, debug, and testing of such platforms as prescribed by DO-178B processes and guidelines. By utilizing an open-source IDE framework such as Eclipse, easy integration of multiple vendors' tools and extremely flexible connection methods including ARINC 653 time- and space-partition safe tools can coexist. These tools help reduce initial development costs by reducing training needs, providing the benefits of wide-scale deployment of a common development "cockpit" throughout the organization. Additionally, by providing qualified verification tools, savings in time and productivity are exploited to reduce the expense associated with change throughout the entire IMA platform life cycle – the ultimate goal of employing IMA and ARINC 653. CS

Larry M. Kinnan is senior avionics and safety-critical systems specialist at Wind River, where he has worked for more than nine years with a primary focus on safety-critical systems and ARINC 653 solutions. He has extensive experience with numerous aerospace programs such as 767 Tanker, Boeing 787, C130-AMP, and other commercial and military aircraft. Prior to joining Wind River, Larry was employed in the medical device design and development community where he was involved in safety-critical device design, development, and deployment. He can be reached at larry.kinnan@windriver.com.

Wind River
330-677-2299
www.windriver.com